Skip to main content
Question

UDM case.alertes.entities in a graph

  • October 28, 2025
  • 1 reply
  • 38 views
Evrard
Forum|alt.badge.img

Hello,

 

I have been asking to do a dashboard about our Cases. It must prompt specifics cases‘s entities names but I keep struggling.

This is what I did so far, but I did not found any more information over the documentation except this https://docs.cloud.google.com/chronicle/docs/reference/soar-data-dashboard#soar-involved-entities

 

case.tags.name="phishing"

 

outcome:
  $case = case.display_name
  $name = case.alerts[0].entities[0].name
  $type = case.alerts[0].entities[0].type
I guess that both alerts & entities are somewhat lists but I don’t understand who deep dive in it.
 
Thank for your time.
mdanowar

1 reply

AbdElHafez
Staff
Forum|alt.badge.img+12
  • AbdElHafez
  • Staff
  • October 31, 2025

@Evrard You could use this example as a reference; 

match:

    case.alerts.entities.identifier , case.name

outcome:

    $count=count(case.name)

    $arr_alertsMeta = array(case.alerts.metadata.id)

//Reference:https://cloud.google.com/chronicle/docs/reference/soar-data-dashboard#cases-and-alerts

kentphelps
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.